Forwarding to Syslog
Syslog refers to System Logging protocol. It is a standard chiefly used by network devices to send events and logs in a particular format to a centralized system for storage and analysis. A Syslog event includes severity level, host IP, timestamps, diagnostics information, and so on.
Sysdig Event Forwarding allows you to send events gathered by Sysdig Secure to a Syslog server.
Configure Syslog Event Forwarding
To forward event data to a Syslog Server:
From the
Settings
module of the Sysdig Secure UI, navigate to theEvents Forwarding
tab.Click the
Add Integration
button.Select
Syslog
from the drop-down menu.Configure the required options:
Integration Name: Define an integration name.
Address: Specify the Syslog server where the events are forwarded. Enter a domain name or IP address. If a domain name resolves to several IP addresses, the first resolved address is used.
Port: Specify the port number.
Protocol: Choose the protocol depending on the server you are sending the logs to:
RFC 3164: RFC 3164 is the older version of the protocol, default port and transport is 514/UDP.
RFC 5424: RFC 5424 is the current version of the protocol, default port and transport is 514/UDP
RFC 5425 (TLS): RFC 5425 (TLS) is an extension to RFC 5424 to use an encrypted channel, default port and transport is 6514/TCP
UDC/TCP; Define transport layer protocol UDP/TCP. Use TCP for security incidents, as it's far more reliable than UDP for handling network congestion and preventing packet loss.
NOTE: RFC 5425 (TLS) only supports TCP.
Data to Send: Currently, Sysdig only supports sending policy events (events from Sysdig Secure).
Allow insecure connections: Toggle on if you want to allow insecure connections (i.e. invalid or self-signed certificate on the receiving side).
Toggle the enable switch as necessary. Remember that you will need to “Test Integration” with the button below before enabling the integration.
Click the
Save
button to save the integration.